如何通过 kubespray 设置本地主机名通过身份验证？

Question

您好，我在通过 kubespray 使用 ansible 时不断收到此错误，我想知道如何克服它

TASK [bootstrap-os : Assign inventory name to unconfigured hostnames (non-CoreOS, non-Flatcar, Suse and ClearLinux)] ********************************************************************************************************************************************************************************************************
task path: /home/dc/xcp-projects/kubespray/roles/bootstrap-os/tasks/main.yml:50

<192.168.10.55> (1, b'\x1b[1;31m==== AUTHENTICATING FOR org.freedesktop.hostname1.set-hostname ===\r\n\x1b[0mAuthentication is required to set the local host name.\r\nMultiple identities can be used for authentication:\r\n 1.  test\r\n 2.  provision\r\n 3.  dc\r\nChoose identity to authenticate as (1-3): \r\n{"msg": "Command failed rc=1, out=, err=\\u001b[0;1;31mCould not set property: Connection timed out\\u001b[0m\\n", "failed": true, "invocation": {"module_args": {"name": "node3", "use": null}}}\r\n', b'Shared connection to 192.168.10.55 closed.\r\n')
<192.168.10.55> Failed to connect to the host via ssh: Shared connection to 192.168.10.55 closed.
<192.168.10.55> ESTABLISH SSH CONNECTION FOR USER: provision
<192.168.10.55> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/home/dc/.ssh/xcp_server_k8s_nodes/xcp-k8s-provision-key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="provision"' -o ConnectTimeout=10 -oStrictHostKeyChecking=no -o ControlPath=/home/dc/.ansible/cp/c6d70a0b7d 192.168.10.55 '/bin/sh -c '"'"'rm -f -r /home/provision/.ansible/tmp/ansible-tmp-1614373378.5434802-17760837116436/ > /dev/null 2>&1 && sleep 0'"'"''
<192.168.10.56> (0, b'', b'')
fatal: [node2]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "name": "node2",
            "use": null
        }
    },
    "msg": "Command failed rc=1, out=, err=\u001b[0;1;31mCould not set property: Method call timed out\u001b[0m\n"
}

我的库存文件如下

all:
  hosts:
    node1:
      ansible_host: 192.168.10.54
      ip: 192.168.10.54
      access_ip: 192.168.10.54
    node2:
      ansible_host: 192.168.10.56
      ip: 192.168.10.56
      access_ip: 192.168.10.56
    node3:
      ansible_host: 192.168.10.55
      ip: 192.168.10.55
      access_ip: 192.168.10.55
  children:
    kube-master:
      hosts:
        node1:
        node2:
    kube-node:
      hosts:
        node1:
        node2:
        node3:
    etcd:
      hosts:
        node1:
        node2:
        node3:
    k8s-cluster:
      children:
        kube-master:
        kube-node:
    calico-rr:
      hosts: {}

我还有一个文件，通过以下方式提供用户

- name: Add a new user named provision
  user:
    name: provision
    create_home: true
    shell: /bin/bash
    password: "{{ provision_password }}"
    groups: sudo
    append: yes

- name: Add a new user named dc
  user:
    name: dc
    create_home: true
    shell: /bin/bash
    password: "{{ provision_password }}"
    groups: sudo
    append: yes

- name: Add provision user to the sudoers
  copy:
    dest: "/etc/sudoers.d/provision"
    content: "provision  ALL=(ALL)  NOPASSWD: ALL"

- name: Add provision user to the sudoers
  copy:
    dest: "/etc/sudoers.d/dc"
    content: "dc  ALL=(ALL)  NOPASSWD: ALL"


- name: Disable Root Login
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin'
    line: "PermitRootLogin no"
    state: present
    backup: yes

  notify:
    - Restart ssh

我已按以下方式运行 ansible 命令

ansible-playbook -i kubespray/inventory/mycluster/hosts.yaml --user="provision"  --ssh-extra-args="-oStrictHostKeyChecking=no" --key-file "/home/dc/.ssh/xcp_server_k8s_nodes/xcp-k8s-provision-key" kubespray/cluster.yml -vvv

也

ansible-playbook -i kubespray/inventory/mycluster/hosts.yaml --user="provision"  --ssh-extra-args="-oStrictHostKeyChecking=no" --key-file "/home/dc/.ssh/xcp_server_k8s_nodes/xcp-k8s-provision-key" --become-user="provision" kubespray/cluster.yml -vv

两者都会产生相同的错误，有趣的是，升级似乎在早期点上取得了成功

阅读本文后 https://askubuntu.com/questions/542397/change-default-user-for-authentication 我决定将用户添加到 sudo 组，但错误仍然存​​在

查看错误建议的 main.yaml 文件位置，似乎此代码可能会导致问题？

# Workaround for https://github.com/ansible/ansible/issues/42726
# (1/3)
- name: Gather host facts to get ansible_os_family
  setup:
    gather_subset: '!all'
    filter: ansible_*

- name: Assign inventory name to unconfigured hostnames (non-CoreOS, non-Flatcar, Suse and ClearLinux)
  hostname:
    name: "{{ inventory_hostname }}"
  when:
    - override_system_hostname
    - ansible_os_family not in ['Suse', 'Flatcar Container Linux by Kinvolk', 'ClearLinux'] and not is_fedora_coreos

主机的操作系统是 ubuntu 20.04.02 服务器，我还能做些什么吗？

Answer 1

来自 Kubespray 文档：

# Deploy Kubespray with Ansible Playbook - run the playbook as root
# The option `--become` is required, as for example writing SSL keys in /etc/,
# installing packages and interacting with various systemd daemons.
# Without --become the playbook will fail to run!
ansible-playbook -i inventory/mycluster/hosts.yaml  --become --become-user=root cluster.yml

如上所述，这--become是强制性的，它允许对 Kubespray 执行的大多数系统修改（例如设置主机名）进行权限升级。

您只需--user=provision设置 SSH 用户，但无论如何都需要权限升级。您只是--become-user=provision说权限升级将升级到“配置”用户（但您需要--become进行权限升级）。在这两种情况下，除非“配置”用户具有 root 权限（不确定将其放入root组中是否足够），否则这是不够的。

为了使用户“提供”足够，您需要确保它可以在hostnamectl <some-new-host>不要求身份验证的情况下执行操作。